France made headlines on Jan. 21 for fining Google US$57 million – the first fine to be issued for violations of the European Union’s newly implemented General Data Protection Regulations. GDPR, as it’s called, is meant to ensure consumers’ personal information is appropriately used and protected by companies. It also creates procedures to sanction companies who misuse information.
According to French data privacy agency the National Commission on Informatics and Liberty (CNIL), which levied the fine, Google didn’t clearly and concisely provide users with the information they needed to understand how it was collecting their personal data or what it was doing with it. Additionally, CNIL said Google did not obtain user consent to show them personalized advertisements. For its part, Google may appeal.
This case demonstrates the increasingly prominent role that the EU intends to play in policing the use of personal information by major companies and organizations online. The U.S. lags behind Europe on this front. As a researcher who studies computer hacking and data breaches, I’d argue the U.S. may have ceded regulatory powers to the EU – despite being the headquarters for most major internet service providers. Why has the U.S. not taken a similarly strong approach to privacy management and regulation?